Hackers infect TP-Link router firmware to attack EU entities

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,698
A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations.

The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.

"It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks," explains the Check Point report.

"Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers."

The deployed malware allows the threat actors full access to the device, including running shell commands, uploading and downloading files, and using it as a SOCKS proxy to relay communication between devices.

The Horse Shell TP-Link firmware implant was discovered by Check Point Research in January 2023, who says the hackers' activity overlaps with the Chinese "Mustang Panda" hacking group recently detailed in Avast and ESET reports.

Check Point tracks this activity separately using the "Camaro Dragon" name for the activity cluster despite the similarities and considerable overlap with Mustang Panda.

The attribution was made based on attackers' server IP addresses, requests featuring hard-coded HTTP headers found on various Chinese websites, many typos in the binary code that show the author isn't a native English speaker, and functional similarities of the trojan with the APT31 "Pakdoor" router implant.
While Check Point has not determined how the attackers infect TP-Link routers with the malicious firmware image, they said it could be by exploiting a vulnerability or brute-forcing the administrator's credentials.

Once a threat actor gains admin access to the management interface, they can remotely update the device with the custom firmware image.

Through investigation, Check Point found two samples of trojanized firmware images for TP-Link routers, both containing extensive modifications and file additions.

Check Point compared the malicious TP-Link firmware with a legitimate version and found that the kernel and uBoot sections were the same. However, the malicious firmware utilized a custom SquashFS filesystem that contained additional malicious file components that are part of the Horse Shell backdoor malware implant.

"Parts of it are internally named Horse Shell so we use it to name the implant as a whole. The implant provides the attacker with 3 main functionalities: remote shell, file transfer, and tunneling," explains Check Point.

The firmware also modifies the management web panel, preventing the device's owner from flashing a new firmware image for the router and ensuring the persistence of the infection.
 

I Walk MY Way

Level 7
Verified
Well-known
May 27, 2013
300
This has happened to my friend the other day his TP-Link router was taken over And his password was changed, he could no longer access the admin console, And the app on his phone no longer worked He reset the router By the button on the back This however did not work So in the end You disconnected it and and purchased And a Netgear.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,825
This has happened to my friend the other day his TP-Link router was taken over And his password was changed, he could no longer access the admin console, And the app on his phone no longer worked He reset the router By the button on the back This however did not work So in the end You disconnected it and and purchased And a Netgear.
Was their firmware up to date?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top